Re: [Freeipa-users] Netgroups and users

Tue, 13 Dec 2011 14:04:55 -0800 

On 12/13/2011 10:50 PM, Sigbjorn Lie wrote:

Hi,
When adding users or user groups to a netgroup, the format of the netgrouptriple ends up as following: 

nisNetgroupTriple: (-,username,ix.test.com)
The extra "-" prevents me from using IPA's netgroups for tcp wrappers using /etc/hosts.allow and /etc/hosts.deny for user access control.
Making the same test with a NIS server, creating the same entry without the "-", works for user access control. 

Looking at 389-ds' wiki, the "-" should not be there:
http://directory.fedoraproject.org/wiki/Howto:Netgroups

Is this a configurable setting? Or should I open a ticket?



To answer myself, yes this is configurable.
There is an attribute under "cn=ng,cn=Schema Compatibility,cn=plugins,cn=config", named "schema-compat-entry-attribute". Changing this attribute from: 
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})


To:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})
Make the netgroup return correctly, and user-based hosts.allow and hosts.deny works just fine! The entires now look like: 
nisNetgroupTriple: (,username,ix.test.com)
This allows me to use the same user group for access to services at Red Hat servers using SSSD/HBAC, and services at Solaris servers using tcp wrappers. SSH in Solaris comes with TCP wrappers built in, so no extra configuration is required. :) 


Ticket opened:
https://bugzilla.redhat.com/show_bug.cgi?id=767372


_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to